Securityflags: g
PEM Private Key Block
Match PEM-encoded private key blocks across the common variants (RSA, EC, DSA, OpenSSH, encrypted, PGP).
Try it in RegexPro →Available in
Pattern
regexengine-agnostic
-----BEGIN (?:RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP )?PRIVATE KEY-----[\s\S]+?-----END (?:RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP )?PRIVATE KEY----- (flags: g)Raw source: -----BEGIN (?:RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP )?PRIVATE KEY-----[\s\S]+?-----END (?:RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP )?PRIVATE KEY-----
How it works
The optional `(?:RSA |EC |DSA |OPENSSH |ENCRYPTED |PGP )?` group covers the algorithm prefix variants. [\s\S]+? lazily matches the multiline base64 body. The closing `-----END ... PRIVATE KEY-----` mirrors the opening. This is the canonical pattern for secret-scanning tools.
Examples
Input
-----BEGIN RSA PRIVATE KEY-----\nMIIEow...\n-----END RSA PRIVATE KEY-----Matches
-----BEGIN RSA PRIVATE KEY-----\nMIIEow...\n-----END RSA PRIVATE KEY-----
Input
-----BEGIN OPENSSH PRIVATE KEY-----\nb3Blbn...\n-----END OPENSSH PRIVATE KEY-----Matches
-----BEGIN OPENSSH PRIVATE KEY-----\nb3Blbn...\n-----END OPENSSH PRIVATE KEY-----
Input
-----BEGIN CERTIFICATE-----No match
—Common use cases
- •Pre-commit secret-scanning for committed private keys
- •PR diff scanning in CI
- •Backup file redaction
- •Incident response for key leaks
Related patterns
PEM Certificate Block
SecurityMatch PEM-encoded certificate and key blocks, capturing the block type and base64 content.
AWS Access Key ID
SecurityMatch AWS access key IDs (both long-term AKIA and temporary ASIA prefixes).
SSH Public Key
SecurityMatch SSH public keys in OpenSSH `authorized_keys` format, including the optional comment field.
Generic API Key
SecurityMatch generic long alphanumeric tokens (32+ chars) typical of API keys and access tokens.